Mutual Authentication (Dictionary Entry)
- David Doret
Mutual Authentication
Definitions
Definition 1
A communication scheme where both communicating entities are authenticated to each other.
Mutual authentication requires more than two unilateral authentications in opposite directions, because of the relationship between these two opposite processes.
Mutual authentication protects against unauthorized access by mitigating man-in-the-middle attacks. In certain circumstances, it may mitigate DoS attacks as well.
When communication takes place between a server and a client, authentication of the client by the server may be incorrectly perceived as the only important security aspect. But without authentication of the server by the client, the server itself may be spoofed leading the way to multiple attacks.
Related Terms
Unilateral Authentication
Quotes
SRP-8
REQUIREMENT: The CSP SHALL ensure that all communications occur over a mutually authenticated protected channel. (5.3.3.2 #7)
SUPPLEMENTAL GUIDANCE: Mutually authenticated protected channels employ approved cryptography to encrypt communications between (sic)
Supervised remote identity proofing stations/kiosks are required to employ mutual authentication where both the station/kiosk and server authenticate to each other. This is most often accomplished through the use of mutual TLS. Upon successful mutual authentication, an encrypted communication channel is established between the workstation/kiosk and the server which protects the data exchanged between them.
ASSESSMENT OBJECTIVE: Confirm the CSP’s supervised remote identity proofing stations or kiosks communicate with the identity service via mutually authenticated protected channels.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: one or both the of the following:
● system documentation, such as remote identity proofing station specifications; or
● an actual supervised remote identity proofing station (kiosk) employed by the CSP.
(Fenton, 2020, p. 58-59)
3.2.2.4 Authentication and Data Integrity between ABAC Components
The authorization service requires strong mutual authentication between ABAC components (e.g., PEP, PDP) when authorization service components exchange sensitive information. For each exchange, proof of origin, data integrity, and timeliness should be considered. For example, when the authorization service needs to obtain attributes from an authoritative attribute service, mutual authentication should be used, followed by mechanisms for validating message integrity and message origin. Authentication protocols based on strong methods (e.g., X.509 authentication) should be used to provide the level of assurance needed by both parties involved in the attribute exchange.
(NIST SP 800-162, 2014, p. 28)
RADIUS
(…)
- Mutual authentication support: Man-in-the-middle attacks are possible with one-way authentication. Mutual authentication eliminates this risk by authenticating the RADIUS server and the client. The client initially passes its identification to the server, which responds with its identification so that both the server and the client are assured of mutual reliability. The same happens with the AP and the server.
(EC-Council, 2010, § 5-35)
DHCP Services
(…)
RFC 3118 appends authentication to DHCP and permits a client to confirm whether a specific DHCP server can be relied on and whether a request for DHCP information originates from a client that is certified to use the network. This mutual authentication in DHCP presents the additional security advantage of helping to protect DHCP clients and servers from DoS attacks and unauthorized access. RFC 3118 describes a method that can present both individual certification and message confirmation. This helps a DHCP client verify the uniqueness of the DHCP server it chooses in an unsecured network environment. This operation is very helpful for both a standard company Ethernet network and an Internet service provider (ISP).
(EC-Council, 2010, § 5-38-39)
11.4.2 Mutual Authentication
The basic mechanisms for message freshness or principal-liveness introduced so far achieve so-called "unilateral authentication" which means that only one of the two protocol participants is authenticated. In mutual authentication, both communicating entities are authenticated to each other.
ISO and IEC have standardized a number of mechanisms for mutual authentication. A signature based mechanism named "ISO Public Key Three-Pass Mutual Authentication Protocol" [148] is specified in prot 11.1. We choose to specify this mechanism in order to expose a common misunderstanding on mutual authentication.
One might want to consider that mutual authentication is simply twice unilateral authentication; that is, mutual authentication could be achieved by applying one of the basic unilateral authentication protocols in §11.4.1 twice in the opposite directions. However, this is not generally true!
A subtle relationship between mutual authentication and unilateral authentication was not clearly understood in an early stage of the ISO/IEC standardization process for prot 11.1. (…)
(Mao, 2003, § 11.4.2)
mutual authentication
Authentication of both ends of a communication session.
Overview
Traditional network authentication systems have centered around having the server authenticate the credentials of the client. They ignore authentication of the server by the client since it is assumed that the server is always a trusted entity. However, it is sometimes possible to spoof the identity of a server, especially in an Internet scenario in which information is sent over an insecure public communication system and is subject to eavesdropping, interception, and hijacking. Although simple consumer transactions such as users buying goods online may suffice with one-way authentication of clients by e-commerce servers, more costly business-to-business (B2B) and financial industry transactions need both ends of a communication channel to be authenticated before establishing a session and per- forming a transaction. Mutual authentication is the general term for any scheme by which both parties authenticate the other prior to sending sensitive information to each other.
One protocol that was developed for mutual authentication is Kerberos, a popular authentication protocol developed by the Massachusetts Institute of Technology (MIT) and used by Active Directory directory service in Microsoft Windows 2000 and Windows Server 2003. Other mutual authentication protocols include the following:
● Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
● Extensible Authentication Protocol/Transport Layer Security (EAP/TLS)
● Symmetric-Key Three-Pass Mutual Authentication Protocol defined in the ISO 9798 standardSee Also: authentication, Kerberos
(Tulloch, 2003, p. 199)
Bibliography
See Also
-
Mutual Authentication (Dictionary Entry) (Dictionary)
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.
